[Bro] Question about capture loss script vs. broctl netstats
Derek Banks
itsecderek at gmail.com
Tue Jun 25 11:07:05 PDT 2013
I apologize if this has been answered already - I was searching through the
list archives and did't seem to find the answer.
I have configured a RHEL 6 server with the latest Bro from the repository
and pf_ring 5.2.2.
It seems pf_ring works - I run pfcount on my capture interface and it sees
traffic and reports no packet loss.
I have Bro configured per the post at
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.htmland
everything starts fine and Bro is up and running.
I run netstats in the Broctl shell and get:
worker-0-1: 1372179895.260001 recvd=64969350 dropped=0 link=64969350
worker-0-2: 1372179895.461289 recvd=66422051 dropped=0 link=66422051
worker-0-3: 1372179895.660990 recvd=64099315 dropped=0 link=64099315
worker-0-4: 1372179895.861853 recvd=61738222 dropped=0 link=61738222
But in the notice.log file I see:
1372179930.880560 - - - - - -
CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 38.520% - - - - - worker-0-3
Notice::ACTION_LOG 3600.000000 F - - - --
1372179930.908354 - - - - - -
CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 37.415% - - - - - worker-0-4
Notice::ACTION_LOG 3600.000000 F - - - --
1372179930.923939 - - - - - -
CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 40.462% - - - - - worker-0-1
Notice::ACTION_LOG 3600.000000 F - - - --
1372179930.923939 - - - - - -
CaptureLoss::Too_Much_Loss The capture loss script detected an estimated
loss rate above 42.910% - - - - - worker-0-2
Notice::ACTION_LOG 3600.000000 F - - - --
So my question is, am I dropping packets or am I good to go?
Best Regards,
Derek Banks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130625/01b3a62a/attachment.html
More information about the Bro
mailing list